Alert essentials:
Severe disruptions are being experienced in the global cyber-attack on one of the world’s leading medical companies. Stryker Corporation has fallen victim to an interruption linked to a pro-Palestinian hacktivist group associated with Iran.
Detailed threat description:
Early reports suggest a wiper attack began at Stryker’s Ireland headquarters and has forced employees offline globally. The disruption required a widespread shutdown of the corporate Windows environment, leaving thousands of employees unable to access internal tools and work devices.
During the attack, the threat actors reportedly gained entry using administrative accounts and boldly defaced system login pages with the distinctive Handala logo. The Handala group is known for conducting politically motivated cyber warfare to cause economic disruption, rather than executing traditional financially driven ransomware campaigns.
The Irish Examiner reports the assault uses Wiper malware that annihilates files, leaving vital business data unrecoverable. In a typical case, a wiper attack begins with infection vectors such as phishing emails, malicious downloads, or compromised websites. Then the malware removes all users in the system and uses the ‘wipe’ command to delete directories and files. Krebs on Security states Microsoft Intune appears to have been the software used to issue the remote wipe command.
Threat Defense at Fortified Health Security has added Indicators of Compromise (IoCs) from Handala’s attacks to its internal technology stacks to enable deeper monitoring of suspicious activity. The team has focused its risk hunting on Iranian threat actors since the start of Operation Epic Fury strikes.
With a portfolio spanning Medical and Surgical, Neurotechnology, Orthopedics, and Spine, Stryker offers products and services that healthcare professionals trust in over 100 countries. It is not clear when the attack will be resolved. However, Stryker teams are actively working to restore systems while continuing to investigate.
The Stryker cyberattack illustrates how rapidly a targeted, politically motivated cyber incident can escalate into a global operational crisis for a healthcare manufacturer. By permanently destroying data rather than demanding a ransom, the attackers not only disrupt Stryker’s business but also send a warning to the medical technology industry about the potential for geopolitical cyber warfare to affect patient care and critical supply chains.
Impacts on healthcare organizations:
Defending against third-party exploits in healthcare requires a proactive, multi-layered strategy that spans technology, process, and people. Hospitals must demand stronger security from vendors, tightly control third-party access to their networks, ensure robust security across all systems, and rehearse contingency plans for vendor-related outages.
These measures will help ensure that when another key partner is hit by ransomware or wiper malware, the hospital can isolate the threat and continue safe patient care with minimal disruption. By treating third-party cyber risk as a core element of patient safety and operational resilience, healthcare leaders can significantly reduce the likelihood that a vendor attack becomes a crisis for their organization.
Recommendations:
- Immediately power down any Stryker-issued devices
- If any Stryker devices are connected to medical equipment, physically disconnect the network cables
- Shift to manual procedures where necessary
- Be cautious of any emails or calls claiming to come from ‘Stryker Support’
- Do not open or use any Stryker apps until further notice
- Threat hunt for IoCs in the network.
- Windows devices will contain a .NET file named Update.zip with a size of 1MB
- Linux devices contain an Obfuscated Bash Script named update[.]sh with a size of 80kb
- Strengthen vendor risk management and perform due diligence on vendors before onboarding
- Maintain a dynamic inventory of all third parties with network or data access
- Isolate and limit what third-party devices can reach with network segmentation
- Enforce least privilege and secure remote access
- Account for geopolitical and supply chain risks by evaluating if critical suppliers operate in regions under heightened threat and apply enhanced precautions or contingency plans
- Regularly review and disable unused vendor accounts or connections to prevent backdoors.
- Extend your hospital’s IR plan to include third-party contingencies and communication channels
- Clearly delineate roles for internal teams (IT, clinical, supply chain, leadership) to manage patient care during the outage and transition back to normal operations, and virtual infrastructure platforms
- Validate MFA enforcement across all privileged, administrative, and remote-access accounts
- Review external attack surface exposure and disable unnecessary publicly accessible services
- Increase monitoring scrutiny for credential abuse, anomalous login patterns, and impossible travel events
- Reconfirm incident response escalation pathways, executive notification procedures, and downtime readiness protocols
These actions reinforce resilience and continuity of care rather than introduce new tooling or emergency measures.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- The Irish Examiner: https://www.irishexaminer.com/news/munster/arid-41808308.html
- https://www.corkbeo.ie/news/local-news/cork-stryker-plants-hit-suspected-33571864?ref=zetter-zeroday.com
- https://nationalcioreview.com/articles-insights/extra-bytes/breaking-suspected-iranian-linked-malware-hits-medical-tech-giant/
- https://www.newsnationnow.com/world/iran-hackers-cyberattack-stryker/
- https://www.wsj.com/articles/stryker-hit-with-suspected-iran-linked-cyberattack-52f6615c
- https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
- https://www.reddit.com/r/cybersecurity/comments/1rqopq0/stryker_hit_by_handala_intune_managed_devices